CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-34145 – jenkins-plugin/script-security: sandbox bypass via sandbox-defined classes
https://notcve.org/view.php?id=CVE-2024-34145
A sandbox bypass vulnerability involving sandbox-defined classes that shadow specific non-sandbox-defined classes in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. Una vulnerabilidad de omisión de la sandbox que involucra clases definidas en la sandbox que ocultan clases específicas no definidas en la sandbox en Jenkins Script Security Plugin 1335.vf07d9ce377a_e y versiones anteriores permite a atacantes con permiso para definir y ejecutar scripts en la sandbox, incluidos Pipelines, para eludir la protección de la sandbox y ejecutar de forma arbitraria. código en el contexto de la JVM del controlador Jenkins. A sandbox bypass vulnerability was found in the Jenkins Script Security Plugin within the sandbox-defined classes, enabling the circumvention of security restrictions. ... This security mechanism intercepts calls within sandboxed scripts, referencing various allowlists to decide whether these calls should be permitted. The vulnerabilities that allow for sandbox bypass have been identified in versions up to 1335.vf07d9ce377a_e of the Script Security Plugin. ... These improvements ensure that calls to super constructors are intercepted by the sandbox, including: - Ensuring that calls to other constructors via 'this' are now appropriately managed within the sandbox. - No longer overlooking classes in packages that may be overshadowed by Groovy-defined classes when intercepting super constructor calls. • http://www.openwall.com/lists/oss-security/2024/05/02/3 https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341 https://access.redhat.com/security/cve/CVE-2024-34145 https://bugzilla.redhat.com/show_bug.cgi?id=2278821 • CWE-290: Authentication Bypass by Spoofing CWE-693: Protection Mechanism Failure •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 1CVE-2024-34144 – jenkins-plugin/script-security: sandbox bypass via crafted constructor bodies
https://notcve.org/view.php?id=CVE-2024-34144
A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. Una vulnerabilidad de omisión de la sandbox que involucra cuerpos de constructores manipulados en Jenkins Script Security Plugin 1335.vf07d9ce377a_e y versiones anteriores permite a atacantes con permiso para definir y ejecutar scripts de la sandbox, incluidos Pipelines, eludir la protección de la sandbox y ejecutar código arbitrario en el contexto de la JVM del controlador Jenkins. A sandbox bypass vulnerability was found in the Jenkins Script Security Plugin involving crafted constructor bodies, enabling the circumvention of security restrictions. ... This security mechanism intercepts calls within sandboxed scripts, referencing various allowlists to decide whether these calls should be permitted. The vulnerabilities that allow for sandbox bypass have been identified in versions up to 1335.vf07d9ce377a_e of the Script Security Plugin. ... These improvements ensure that calls to super constructors are intercepted by the sandbox, including: - Ensuring that calls to other constructors via 'this' are now appropriately managed within the sandbox. - No longer overlooking classes in packages that may be overshadowed by Groovy-defined classes when intercepting super constructor calls. • https://github.com/MXWXZ/CVE-2024-34144 http://www.openwall.com/lists/oss-security/2024/05/02/3 https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341 https://access.redhat.com/security/cve/CVE-2024-34144 https://bugzilla.redhat.com/show_bug.cgi?id=2278820 • CWE-693: Protection Mechanism Failure •
CVSS: 10.0EPSS: 96%CPEs: 2EXPL: 12CVE-2024-4040 – CrushFTP VFS Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2024-4040
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. VFS Sandbox Escape en CrushFTP en todas las versiones anteriores a 10.7.1 y 11.1.0 en todas las plataformas permite a atacantes remotos con privilegios bajos leer archivos del sistema de archivos fuera de VFS Sandbox. CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS). • https://github.com/entroychang/CVE-2024-4040 https://github.com/Mohammaddvd/CVE-2024-4040 https://github.com/Praison001/CVE-2024-4040-CrushFTP-server https://github.com/airbus-cert/CVE-2024-4040 https://github.com/Stuub/CVE-2024-4040-SSTI-LFI-PoC https://github.com/gotr00t0day/CVE-2024-4040 https://github.com/rbih-boulanouar/CVE-2024-4040 https://github.com/jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability https://github.com/olebris/CVE-2024-4040 https://github.com&# • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-32462 – Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing
https://notcve.org/view.php?id=CVE-2024-32462
When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. ... Cuando esto se convierte en un `--command` y argumentos, logra el mismo efecto de pasar argumentos directamente a `bwrap` y, por lo tanto, puede usarse para un escape sandbox. ... This is normally safe because it can only specify a command that exists inside the sandbox. When a crafted "commandline" is converted into a "--command" and arguments, the app could achieve the same effect of passing arguments directly to bwrap to achieve sandbox escape. • http://www.openwall.com/lists/oss-security/2024/04/18/5 https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97 https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/messa • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29021 – SSRF into Sandbox Escape through Unsafe Default Configuration
https://notcve.org/view.php?id=CVE-2024-29021
The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). • https://github.com/judge0/judge0/blob/ad66f77b131dbbebf2b9ff8083dca9a68680b3e5/app/jobs/isolate_job.rb#L203-L230 https://github.com/judge0/judge0/security/advisories/GHSA-q7vg-26pg-v5hr • CWE-918: Server-Side Request Forgery (SSRF) CWE-1393: Use of Default Password •